kubernetes
  • Introduction
  • 安装
    • 组件端口
    • 二进制安装
    • Kubeadm
      • 安装单Master集群
      • 安装高可用集群(手动分发证书)
      • 安装高可用集群(自动上传证书)
      • 安装ETCD集群
      • 安装高可用集群(外部ETCD)
    • 启动参数解析
      • ETCD相关参数
  • 负载均衡
    • Service
    • Ingress
    • 安装MetalLB
    • Nginx-ingress-controller
      • 转发TCP与UDP服务
      • 启动参数
      • 自定义Nginx模板
  • 存储
    • Volume
    • PV与PVC
    • StorageClass
    • Local-PV
      • Static-Provisioner
    • 实践
      • Ceph-RBD
      • NFS
  • 有状态服务
    • Mysql实践
    • Operator
      • Etcd
      • Zookeeper
      • Mysql
  • 认证与授权
    • 认证
      • 实践
    • 授权
  • Helm
    • 安装
    • Chart
      • 依赖
    • Helm命令
    • Repository
  • 日志
  • 监控
    • Prometheus体系
      • Prometheus
        • 内置函数
        • 配置
          • 规则文件
        • PromQL
      • Exporter
        • Metrics
      • Grafana
        • 配置
      • AlertManager
        • 配置
    • 容器监控
      • Cadvisor的指标
      • k8s中部署Prom与Cadvisor
  • Istio
  • 资源预留
    • imagefs与nodefs
    • 总结
  • 集群联邦
    • 联邦DNS原理
    • 联邦DNS安装
    • 安装federation-v1
  • Other
    • ImagePullSecret
    • QOS
    • Apiserver的代理
    • 资源配额
Powered by GitBook
On this page
  • Yaml
  • HTTPS
  • 未定义行为
  • 1. 同一个Ingress中path相同
  • 2. 两个Ingress的Host相同
  • 非法行为
  • 1. 同一个Ingress中的Host相同

Was this helpful?

  1. 负载均衡

Ingress

Yaml

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test
spec:
  rules:
  - host: xxx.ctg.com  # optional
    http:
      paths:
      - path: /foo
        backend:
          serviceName: service1
          servicePort: xx

HTTPS

假设我们想通过https://tomcat.ctg.com来访问tomcat服务,步骤如下。

首先,制作证书,此处我们使用自签名证书

$ openssl genrsa -out tls.key 1024
$ openssl req -x509 -new -nodes -key tls.key -subj "/CN=tomcat.ctg.com" -days 3650 -out tls.crt

生成的tls.key与tls.crt的内容如下

$ cat tls.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC2m/jDgcOjuXOyr4HrOQmbQ3z7Mi5Acd6tY+RShnC6vpg+nCcH
FK2VahUu5f2cfXql4khJh61OOCaOjGb1snr/zhM4fXJt0d5hhSadNwvYH7WRdfLJ
bohYnGebow5gYdU526zJNMpvvEjVMIa7qYxS8bBl290V9b0NT4U5pTAOaQIDAQAB
AoGACenx2XtkCbF5zIumvAR+twU09dZFmI4WDsfLj4do+1p5nXyQydufiOsXd1JZ
MHPHgtYEIqnRCNwXi8mnlVM5Ri6HdjGKIRsk6saL06avPRHphZTGYl4Ih0KzORDI
Wz50mr7q55MafrX0NCVSxTA1662xKhhzOUILFh5bi8qHc+ECQQDedbtw3FxTgQF9
C/atddh+uu66yWYsOIF1yjpB5ys7P+TFz/0eQ6zzqLKCP0wSQUIlooQU5txOVX/R
AQ4SKWrlAkEA0iQgvI3RzDar5/iIIzVQj/TFrX5Z4BteCqnF0nHj7p3hR4iUZc+W
kuJ3ePhA5X7gwxJbsGsYCKgnE582gWFpNQJACSXgQmDdbxWkAQdn6nQpJfT78jRr
/i+Iq1ZYlPMzpOkYuEW4S/FOgGqUhKSjtTB3zuJi+hUQRCxh6C9Z68dGPQJAJVh0
VO4jTdadgHFDyHYOJjdK9kVRNanHcb+wP3EsH9kBE1Rrgxh8WwhSUTZVWjPNP/3A
O78cm1U+9JbD+gRUzQJBAMng0TUGABU3Avq0m4TanK2o1jBS6QV2uV/FXM1q9pOg
3nhSVjs6+TAfup/VjVUwGJfS0wyAWQFrRR3Ub/SL77k=
-----END RSA PRIVATE KEY-----

$ cat tls.crt
-----BEGIN CERTIFICATE-----
MIICADCCAWmgAwIBAgIJAO50kZMgRRbxMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV
BAMMDnRvbWNhdC5jdGcuY29tMB4XDTE5MTIyNjA3MzgyN1oXDTI5MTIyMzA3Mzgy
N1owGTEXMBUGA1UEAwwOdG9tY2F0LmN0Zy5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBALab+MOBw6O5c7Kvges5CZtDfPsyLkBx3q1j5FKGcLq+mD6cJwcU
rZVqFS7l/Zx9eqXiSEmHrU44Jo6MZvWyev/OEzh9cm3R3mGFJp03C9gftZF18slu
iFicZ5ujDmBh1TnbrMk0ym+8SNUwhrupjFLxsGXb3RX1vQ1PhTmlMA5pAgMBAAGj
UDBOMB0GA1UdDgQWBBS16IlYfCTS1g3f9qm9sMkXoC0zSjAfBgNVHSMEGDAWgBS1
6IlYfCTS1g3f9qm9sMkXoC0zSjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
A4GBAIBUAIXwBrmEFj1TAzHVqUNH2OwTgwGqdz6BnZB57hKVoIxPrLARFxxZZruI
6UomdQe9bHU+wiA1VQdVX9rhsf9T5Y4e7e1ZmpxP4nHMTn5MYT25ax8A3p7+eHcU
5qjT5DGpj4cqV78+dIu6Ly2Uu35ZF4m5jB0sYF+c2Nz/pNII
-----END CERTIFICATE-----

然后,创建一个secret,用来存储tls.key与tls.crt。在存储tls.key与tls.crt文件内容到secret时,要把文件的首尾两行去掉,然后把中间的行拼成一行(即去掉换行符),最后secret的内容如下:

apiVersion: v1
kind: Secret
metadata:
  name: tomcat
type: kubernetes.io/tls
data:
  tls.key: MIICXAIBAAKBgQC2m/jDgcOjuXOyr4HrOQmbQ3z7Mi5Acd6tY+RShnC6vpg+nCcHFK2VahUu5f2cfXql4khJh61OOCaOjGb1snr/zhM4fXJt0d5hhSadNwvYH7WRdfLJbohYnGebow5gYdU526zJNMpvvEjVMIa7qYxS8bBl290V9b0NT4U5pTAOaQIDAQABAoGACenx2XtkCbF5zIumvAR+twU09dZFmI4WDsfLj4do+1p5nXyQydufiOsXd1JZMHPHgtYEIqnRCNwXi8mnlVM5Ri6HdjGKIRsk6saL06avPRHphZTGYl4Ih0KzORDIWz50mr7q55MafrX0NCVSxTA1662xKhhzOUILFh5bi8qHc+ECQQDedbtw3FxTgQF9C/atddh+uu66yWYsOIF1yjpB5ys7P+TFz/0eQ6zzqLKCP0wSQUIlooQU5txOVX/RAQ4SKWrlAkEA0iQgvI3RzDar5/iIIzVQj/TFrX5Z4BteCqnF0nHj7p3hR4iUZc+WkuJ3ePhA5X7gwxJbsGsYCKgnE582gWFpNQJACSXgQmDdbxWkAQdn6nQpJfT78jRr/i+Iq1ZYlPMzpOkYuEW4S/FOgGqUhKSjtTB3zuJi+hUQRCxh6C9Z68dGPQJAJVh0VO4jTdadgHFDyHYOJjdK9kVRNanHcb+wP3EsH9kBE1Rrgxh8WwhSUTZVWjPNP/3AO78cm1U+9JbD+gRUzQJBAMng0TUGABU3Avq0m4TanK2o1jBS6QV2uV/FXM1q9pOg3nhSVjs6+TAfup/VjVUwGJfS0wyAWQFrRR3Ub/SL77k=
  tls.crt: MIICADCCAWmgAwIBAgIJAO50kZMgRRbxMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNVBAMMDnRvbWNhdC5jdGcuY29tMB4XDTE5MTIyNjA3MzgyN1oXDTI5MTIyMzA3MzgyN1owGTEXMBUGA1UEAwwOdG9tY2F0LmN0Zy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALab+MOBw6O5c7Kvges5CZtDfPsyLkBx3q1j5FKGcLq+mD6cJwcUrZVqFS7l/Zx9eqXiSEmHrU44Jo6MZvWyev/OEzh9cm3R3mGFJp03C9gftZF18sluiFicZ5ujDmBh1TnbrMk0ym+8SNUwhrupjFLxsGXb3RX1vQ1PhTmlMA5pAgMBAAGjUDBOMB0GA1UdDgQWBBS16IlYfCTS1g3f9qm9sMkXoC0zSjAfBgNVHSMEGDAWgBS16IlYfCTS1g3f9qm9sMkXoC0zSjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAIBUAIXwBrmEFj1TAzHVqUNH2OwTgwGqdz6BnZB57hKVoIxPrLARFxxZZruI6UomdQe9bHU+wiA1VQdVX9rhsf9T5Y4e7e1ZmpxP4nHMTn5MYT25ax8A3p7+eHcU5qjT5DGpj4cqV78+dIu6Ly2Uu35ZF4m5jB0sYF+c2Nz/pNII

然后,创建一个Ingress(记得要创建deployment与service)

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: tomcat
spec:
  rules:
  - host: tomcat.ctg.com
    http:
      paths:
      - path: /
        backend:
          serviceName: tomcat
          servicePort: 8080
  tls:
  - secretName: tomcat
    hosts:
    - tomcat.ctg.com

未定义行为

1. 同一个Ingress中path相同

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test
spec:
  rules:
  - http:
      paths:
      - path: /foo
        backend:
          serviceName: test
          servicePort: 8080
      - path: /foo
        backend:
          serviceName: test
          servicePort: 8081

以上的Ingress可以创建成功,不会报错,但是当我们访问x.x.x.x:80/foo时,是不确定Nginx-Ingress-Controller会转发到test:8080还是test:8081

2. 两个Ingress的Host相同

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test
spec:
  rules:
  - host: test.ctg.com
    http:
      paths:
      - path: /foo
        backend:
          serviceName: test
          servicePort: 8080

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test1
spec:
  rules:
  - host: test.ctg.com
    http:
      paths:
      - path: /foo
        backend:
          serviceName: test
          servicePort: 8080

非法行为

1. 同一个Ingress中的Host相同

以下Yaml文件创建时会报错,因为host一样

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test
spec:
  rules:
  - host: test.ctg.com
    http:
      paths:
      - path: /foo
        backend:
          serviceName: test
          servicePort: 8080
  - host: test.ctg.com
    http:
      paths: 
      - path: /bar
        backend:
          serviceName: test
          servicePort: 8081
PreviousServiceNext安装MetalLB

Last updated 5 years ago

Was this helpful?

然后,我们在就能访问了

https://tomcat.ctg.com了